** WIERD STUFF Sendmail running But NOT installed Hacker maybe? **

DropHit · 06-09-2004, 02:16 PM

OK this is friggin strange.

My RH9 box starts Kern Seg faulting theother day happened liek 3 times so far, during my investigation i notice this process running under the user APACHE with the command /usr/sbin/sendmail -t -i -fbounce@tranix.com

Now 1st thing i do not use sendmail and do not have it installed.

2nd what are the -t -i -f switches for and what the hell is this running for?

Is this a hacker?

Z

Nis · 06-09-2004, 02:24 PM

Looks like your machine might be relaying SPAM. As for the flags, from the sendmail man page:

Quote:

-i Ignore dots alone on lines by themselves in incom ing messages. This should be set if you are reading data from a file.

-t Read message for recipients. To:, Cc:, and Bcc: lines will be scanned for recipient addresses. The Bcc: line will be deleted before transmission.

-fname Sets the name of the ``from'' person (i.e., the
envelope sender of the mail). This address may
also be used in the From: header if that header is
missing during initial submission. The envelope
sender address is used as the recipient for deliv-
ery status notifications and may also appear in a
Return-Path: header. -f should only be used by
``trusted'' users (normally root, daemon, and net-
work) or if the person you are trying to become is
the same as the person you are. Otherwise, an X-
Authentication-Warning header will be added to the
message.

Looks like it probably is reading instructions (addresses?) from some file, mailing it out with a BCC to the spammer (but being removed for his deviousness), and setting the FROM address to a fake address. Back with more info in a sec.

Nis · 06-09-2004, 02:29 PM

A WHOIS on tranix.com turned up that site being registered to a Raliegh Nichols in Las Vegas. Some Googling led to a Raliegh Nichols running a site Action Online Marketing. Besides the name sounding explicitly like a spammer, from the About Us:

Quote:

ActionOnlineMarketing.com is one of the industry leaders in providing a cost per action based advertising model. The majority of our focus relies on several primary facets proven to deliver marketing on a CPA basis. These are opt-in email marketing, network creation; affiliate marketing, search engine submission and optimization and acquiring pay per funded business development partners.

Note the email marketing.

You probably have been hit by a spammer. Do not do anything yet! We might be able to catch him and get him put away. Anyone out there know where to go from here.

Nis · 06-09-2004, 02:33 PM

Update: tranix.com itself just has a default Apache test page for RedHat. I advise no one else to go there, as we don't want to tip this guy off that we are on to him.

Mega Man X · 06-09-2004, 02:43 PM

Whoa, how on earth can you find those info. It's very cool, feels kinda the X-Files tracking weird stuff

Keep it up man!

Nis · 06-09-2004, 02:45 PM

Alright: running a traceroute on tranix.com leads to the ISP lasvegas.net, furthering the belief that this is Mr. Nichols from Las Vegas. Please do not email lasvegas.net. We could get this guy for spamming by emailing them, but getting him for this would be much better.

A WHOIS on http://actiononlinemarketing.com turns up not Nichols, but another Las Vegas resident. We can't jump to conclusions, however. AOM might not know that this guy is doing this (yeah right), so we shouldn't say anything to them at this time.

I want to get this guy and teach other spammers out there that there is a price.

MS3FGX · 06-09-2004, 02:50 PM

Next step would be to alert whoever his domain name provider is, and report him for hacking and abuse. With any luck they will drop his domain names.

He is in the US, that is always a plus. Many countries don't seem to care about this sort of thing, and I have heard of people reporting abuse to ISPs in the Middle East, and the ISP basically told them they don't care, and they don't have to do anything about it.

How nice.

Nis · 06-09-2004, 02:57 PM

It appears that this guys DNS is twisted4life.com, but I'm not sure; that's the info that turned up in the WHOIS. Could it be possible that more could be done than just having them drop his domain names? Criminal charges perhaps? DropHit, do you live in Nevada? If not then this is a crime across state lines, something the FBI could get involved in. I want to hit this guy so hard in the nuts he'll never do it again.

mcleodnine · 06-09-2004, 03:00 PM

Moving this thread to the Linux - Security forum.

Looks pretty interesting though. Any idea how you got root-ed?

MS3FGX · 06-09-2004, 03:13 PM

There is illegal activity, and as you said, it could be across state lines (as we learned from "Hackers" never hack across state lines

).

But I think since there was no real damage or vandalism, it will be hard to get the authorities to take it seriously. Maybe if he broke in and deleted a database, but I don't think they are going to put him away for spam.

It is a shame though, I have gotten hit with a similar attack before on a Windows 2000 server. I would have loved to get the guy arrested...

Quote:

It appears that this guys DNS is twisted4life.com, but I'm not sure; that's the info that turned up in the WHOIS.

I don't think the WHOIS data can be falsefied, so if that is what WHOIS says, it must be true.

I did some looking around at his DNS service, and found some promising parts in the TOS:

Quote:

5) The User understands that they accept full responsibility for any violations against any applicable laws, local or otherwise.

6) The provider reserves the right to remove any User from the service by giving 30 days notice by email for whatever reason it deems fit to do so.

Quote:

***We consider abuse of our network and services to be using our services to facilitate unsolicited email (spam), violation of trademarks or copyrights, disrupts or in any way causes denial of service to ourselves or our customers, cause or promote abusive or threatening behavior. Additionally any activity that is considered illegal or a criminal offense, including the transfer of copyrighted mp3's, videos or any other form of copyrighted material.

So if the spam can be proved, according to the TOS, they should get dropped.

Nis · 06-09-2004, 09:25 PM

Maybe the case could be made like in this /. article. Really I guess it's up to DropHit as to what should be done with the spammer. I say if he wants the ISP contacted he should do it; he's got all the evidence.

Nis · 06-09-2004, 09:48 PM

Update: if you check out the Privacy policy at AOM you'll see one question: "What do we do?" Nothing else. I guess I can answer with, "Hack into other peoples' machines and steal their bandwidth to send out unsolicited mass emails."

Nis · 06-09-2004, 09:56 PM

Update: when Mr. Nichols registered tranix.com his email was at lvcm.com, which redirects to a Cox Communications ISP for Las Vegas. Either Mr. Nichols was caught doing this before and dropped from that ISP, or he decided to switch ISPs after lvcm was bought out by Cox (just speculating as to whether they were bought out), or he just has two ISPs. It's amazing how much you can figure out about somebody using Google and other free tools on the web.

tsachi · 06-09-2004, 10:50 PM

You can contact the FTC, they're in charge of the CAN-SPAM act. This is fromtheir web site:

Quote:

Additional fines are provided for commercial emailers who not only violate the rules described above, but also:
"harvest" email addresses from Web sites or Web services that have published a notice prohibiting the transfer of email addresses for the purpose of sending email
...
relay emails through a computer or network without permission – for example, by taking advantage of open relays or open proxies without authorization.

The law allows the DOJ to seek criminal penalties, including imprisonment, for commercial emailers who do – or conspire to:
use another computer without authorization and send commercial email from or through it

use a computer to relay or retransmit multiple commercial email messages to deceive or mislead recipients or an Internet access service about the origin of the message
...

They also have a link to file a complaint

Capt_Caveman · 06-10-2004, 12:01 AM

I'd definitely recommend reporting this to the FTC, as this sounds basically like a violation of most of section 1037 of the CAN-SPAM act:

Quote:

Sec. 1037. Fraud and related activity in connection with electronic mail
`(a) IN GENERAL- Whoever, in or affecting interstate or foreign commerce, knowingly--
`(1) accesses a protected computer without authorization, and intentionally initiates the transmission of multiple commercial electronic mail messages from or through such computer,
`(2) uses a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages,
`(3) materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages,
`(4) registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names, or
`(5) falsely represents oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more Internet Protocol addresses, and intentionally initiates the transmission of multiple commercial electronic mail messages from such addresses,
or conspires to do so, shall be punished as provided in subsection (b).

You can file complaints by following the links tsachi posted or directly through the link below. You can also file a complaint with your internet provider, as it's their resources which are being mis-used as well. Also checkout the link below for more info on reporting computer crime in general.

I'd also recommend that you treat this as a security compromise and perform forensic analysis on the system if at all possible. So you should try to manipulate the system as little as possible in order to preserve any potential evidence. You should get a listing of all the current processes as well as open ports and you should consider running a rootkit detection application like chkrootkit or rootkit hunter before shutting the system down. Next download and burn a copy of a CDROM based distro on a different system (there a a number of them available, but knopppix-std and FIRE are geared more towards security/forensic analysis). Then boot the system with the CD-ROM distro (don't reboot the old kernel). Mount the drive containing the compromised system as read-only. At this point, you can dig around in the system and look for any cracker files or rootkit stuff without losing evidence.

You can then use the CERT "Steps to recovering from a UNIX or NT system compromise" and other assorted links available in unSpawns security references thread under the "Compromise, breach of security, detection" section as a guide on things to look for when analyzing the system. Make sure to thoroughly look through the old logs for any anomalies. If you are getting kernel segfaults and oops, I'd be highly suspicious of a rootkit. If chkrootkit or rootkit hunter identified anything, then you should have a better idea of what to look for. One last note, if the system has indeed been compromised (which seems highly probable), you will need to completely format the drive and reinstall from trusted media. In fact, if you have a spare drive or can afford a new one, you may want to keep the old one around as potential evidence.

Direct link to FTC form:
https://rn.ftc.gov/pls/dod/wsolcq$.s..._ORG_CODE=PU01
Guide on reporting computer intrusions/crimes:
http://www.usdoj.gov/criminal/cybercrime/reporting.htm
CERT guide to recovering from intrusions:
http://www.cert.org/tech_tips/root_compromise.html